Previous Work in SDN DDoS Attack Detection

It is very interesting to know that implementing SDN architecture is proposed by Seungwon shin et al. [23]as a method for the intrusion detection in cloud

24

environment. In the proposed scheme OpenFlow is integrated into the network structure to control the network flows and diverts the traffic through a path that it is inspected by the preinstalled security devices (e.g. network intrusion detection system (NIDS), firewall, etc.). Employing the SDN infrastructure will simplify the network operator’s job in a huge cloud infrastructure. The changes in the flow directions and network policies can easily be performed by running simple scripts on the controller that will install new flow entries on the switches. The controller itself is not involved in the abnormal activity detection but it is responsible for calculating the best and shortest paths that will guide the traffic through the NIDS.

In a similar approach Snort, an Intrusion Detection Systems (IDS), is used to monitor network traffic and measures to identify mischievous activities in the network. Intrusion prevention System (IPS) is an IDS that has the power to spontaneously take action towards the suspect events upon attack detection. Tianyi Xing et al. [24] have implemented an IPS called snortflow by integrating Snort and OpenFlow modules. In this approach the cloud networking environment is dynamically reconfigured utilizing the power of OpenFlow switches in real time to dynamically detect and prevent the attacks.

Kreutz et al. [25] reveal the need of building protected and trustworthy SDNs in the design phase. Bringing replication, diversity and dynamic switch association to SDN control platform design are the main arguments described as mitigation methods for several threat vectors that enable the exploit of SDN vulnerabilities. In the proposed example by implementing a number of replicated controllers the backup controller will take over if one controller malfunctions. The controllers must be designed with interoperation capabilities. Meanwhile the switches must have the ability to dynamically associate to the controllers. To prevent simultaneous attack on all controllers, controllers’ diversity must be considered to improve the robustness of the system. FRESCO [25] is an extension of this work that makes it easy to create and deploy SDN security services.

25

FRESCO [23] is a framework proposed for easier design of secure SDN networks. FRESCO presents an OpenFlow security application development framework that assists in prototyping new compassable security services in OpenFlow networks. FRESCO offers a library of reusable security modules that can detect and mitigate different attacks. The scripting API offered by FRESCO enables the rapid design and development of these modular libraries. Essential security functions (e.g. firewalls, IDS, attack deflector, etc.) can be simulated by assigning values to the interfaces and connecting the necessary modules. The modules can produce flow rules used to enforce the security directives.

Braga et al. [26] propose a DDoS detection method built into the NOX controller based on Self-Organizing Maps (SOM). SOM is an unsupervised artificial neural network trained with the features of the network flow that is periodically collected from the switches. The traffic is classified as either normal or abnormal based on the SOM pattern. This detection method as shown in figure 10 runs in three modules running periodically within a loop in the NOX controller:

 The flow collector module queries the switches periodically for their flow tables.

 The feature extractor module extracts the main features that are studied for DDoS attack detection and gathers them in 6-tuples. The main elements that are calculated based on the collected features and will be studied in the next module for the traffic classification include average of packets per flow, average of bytes per flow, average of duration per flow, percentage of pair flows, growth of single-flows and growth of different ports.

 The classifier module must analyze and decide whether the given 6-tuple corresponds to a DDoS attack.

26

Figure 10Detection Loop Operation [26]

Querying the switches periodically especially in the large scale cloud architecture with large number of switches will put an extreme overhead on the system and will eventually affect the performance of the controller. Processing that high volume of flows in the flow tables is another issue that must also be well-thought-out.

Tamihiro Yuzawa [27] implements new generation database that does the heavy lifting of sFlow data processing for DDoS attack detection. sFlow or "sampled flow", is an industry standard for packet export at Layer 2 of the OSI model. To keep the legitimate traffic running and provide source-and-destination-based filtering OpenFlow or more specifically Floodlight’s static flow pusher API is executed. Static Flow Pusher is a Floodlight module that allows a user to manually insert flows into an OpenFlow network. This is known as the proactive approach to flow insertion. To do DDoS mitigation in this way requires lots of preparation, and a strong understanding of the network flows.

27

YuHunag et al. [28] from Chungwa Telecom Co. proposes an OpenFlow DDoS Defender that monitors flows on an open flow switch. If the number of packets received in 5 seconds exceeds 3000 then the number of packets will be studied in per second duration. If the number packets per second exceed 800 for 5 continuous times then an attack is detected and the DDoS defender will start dropping the incoming packets until the flow entry times out.

Syed Akbar Mehdi et al. [29] argue that network security tasks should be delegated to the home and office networks instead of ISPs. In the presented work security policy implementation is delegated to the downstream networks. Four prominent traffic anomaly detection algorithms, threshold random walk with credit based rate limiting, rate-limiting, maximum entropy detector and Network Traffic Anomaly Detector(NETAD) are implemented in NOX controller and it is observed that the anomaly detection can function well at line rates without any performance degradation in the home network traffic. It is suggested that this approach can monitor the network activities without the need of the excessive sampling.

C.Dillon and M.Berkelaar [12] monitor the flow statistics sent from the open flow switch to the controller to find the large spikes in traffic that could be signs of an attack. The OpenFlow controller then finds the sources of the attack traffic and as a mitigation method flows are installed on the switches to drop the traffic from the suspected sources. The proposed detection techniques include using packet symmetry and temporary blocking of the traffic. In routine traffic state a symmetrical behavior exists between the two sides of a communication. In the learning phase the symmetry ratio is analyzed in the network and sources with high asymmetric ratio are suspected of an attack. In temporary blocking the flows are blocked for a short period and the traffic behavior to this blocking is used to analyze if the traffic is legitimate or not. The three phases of this strategy include: sampling, blocking and analysis.

28

Entropy variation of destination IP address is used as an early detection method in the pox controller in a work done by Seyed Mohammad Mousavi [30]. Entropy is known as a measure of randomness. The maximum entropy happens when each incoming packet is destined for a different host and the minimum entropy is seen when all the packets are destined to the same destination address. As explained in the previous chapters a characteristic of DDoS attack is sending high volume of packets to the same destination. In the proposed method the destination IP is used for entropy computation. The algorithm flow chart is shown in figure 11. A window of packets is studied and the entropy is calculated for their destination IP addresses. If the calculated entropy is less than the threshold for a continuous number of times, an attack will be reported. There are a number of limitations to this method. When the number of hosts under attack within the network rise or when the entire network is under attack the entropy detection will fail. On the other hand when the load of the traffic increases in the network with legitimate traffic in the peak times using the proposed entropy detection mechanism alone will result in false positive attack detections. This is because the provided algorithm does not adapt to the traffic load changes dynamically. The work done in this project is an improvement to the previous work done in [32].

29

30

Chapter 3